--- - hosts: all tasks: - name: Configure sshd include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below sshd_verify_hostkeys: - /etc/ssh/ssh_host_rsa_key sshd: Match: - Condition: "User xusers" X11Forwarding: yes Banner: /tmp/xusers-banner sshd_match: - Condition: "User bot" AllowTcpForwarding: no Banner: /tmp/bot-banner sshd_match_1: - Condition: "User sftponly" ForceCommand: "internal-sftp" ChrootDirectory: "/var/uploads/" sshd_match_2: - Condition: "User root" PasswordAuthentication: no PermitTunnel: yes - name: Verify the options are correctly set vars: main_sshd_config: >- {{ "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" if ansible_facts['distribution'] == 'Fedora' else "/etc/ssh/sshd_config" }} block: - meta: flush_handlers - name: List effective configuration using sshd -T for xusers command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective - name: List effective configuration using sshd -T for bot command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective - name: List effective configuration using sshd -T for sftponly command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective - name: List effective configuration using sshd -T for root command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective - name: Print current configuration file slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'allowtcpforwarding no' in bot_effective.stdout" - "'banner /tmp/bot-banner' in bot_effective.stdout" - "'forcecommand internal-sftp' in sftponly_effective.stdout" - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - "'passwordauthentication no' in root_effective.stdout" - "'permittunnel yes' in root_effective.stdout" - name: Check the options are in configuration file assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" - "'Match User sftponly' in config.content | b64decode" - "'Match User root' in config.content | b64decode" tags: tests::verify